Firewalls Don't Stop Dragons Podcast

Going through border security today – even just returning to your own country – is not at simple and stress-free as it should be. The likelihood of our digital devices being searched by a border agent has increased in recent years and political sensitivities today can be high. Our devices have access to a ridiculous amount of extremely personal information. How can we protect ourselves? The answers aren’t great, but I’ll give the current best advice from immigration lawyers and civil rights groups. In other news: the Apple-UK data privacy court case will be at least partially public; some companies are ignoring automated opt-out signals; Waymo may use interior car video to train its AI; data breaches at Hertz and a Planned Parenthood medical lab; air travel group paints a picture of future use of facial recognition; San Francisco police have a new surveillance center; Ukraine drones come with anti-Russian malware; judge rules that ‘cell tower dumps’ require a warrant. Article Links [bbc.com] Apple-UK data privacy row should not be secret, court rules https://www.bbc.com/news/articles/cvgn1lz3v4no [innovation.consumerreports.org] New Report: Many Companies May Be Ignoring Opt-Out Requests Under State Privacy Laws https://innovation.consumerreports.org/new-report-many-companies-may-be-ignoring-opt-out-requests-under-state-privacy-laws/ [techcrunch.com] Waymo may use interior camera data to train generative AI models, but riders will be able to opt out https://techcrunch.com/2025/04/08/waymo-may-use-interior-camera-data-to-train-generative-ai-models-sell-ads/ [Bleeping Computer] US lab testing provider exposed health data of 1.6 million people https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/ [9to5mac.com] PSA: Hertz belatedly says customer personal data stolen, inc credit card details https://9to5mac.com/2025/04/15/psa-hertz-belatedly-says-customer-personal-data-stolen-inc-credit-card-details/ [theguardian.com] Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans https://www.theguardian.com/world/2025/apr/11/boarding-passes-and-check-in-to-be-scrapped-in-air-travel-shake-up-plans [cbsnews.com] San Francisco Police’s new surveillance hub being credited with 20% drop in crime https://www.cbsnews.com/sanfrancisco/news/san-francisco-police-surveillance-hub-real-time-investigation-center/ [forbes.com] Russians Capture Ukrainian Drones Which Infect Their Systems With Malware https://www.forbes.com/sites/vikrammittal/2025/04/02/russians-capture-ukrainian-drones-which-infect-their-systems-with-malware/ [404media.co] Judge Rules Blanket Search of Cell Tower Data Unconstitutional https://www.404media.co/judge-rules-blanket-search-of-cell-tower-data-unconstitutional/ Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity/  Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  How and why to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:24: Update Apple stuff 0:00:42: Dragon coin promo! 0:01:32: News preview 0:04:11: Apple-UK data privacy row should not be secret, court rules 0:08:14: Many Companies May Be Ignoring Opt-Out Requests 0:14:20: Waymo may use interior camera data to train generative AI models 0:19:56: US lab testing provider exposed health data of 1.6 million people 0:24:22: Hertz belatedly says customer personal data stolen, inc credit card details 0:27:18: Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans 0:30:58: San Francisco Police’s new surveillance hub being credited with 20% drop in crime 0:38:06: Russians Capture Ukrainian Drones Which Infect Their Systems With Malware 0:42:34: Judge Rules Blanket Search of Cell Tower Data Unconstitutional 0:46:31: Tip of the Week: Travel Insecurity 1:03:57: Wrap-up 1:04:17: Merlin’s Musings preview 1:04:59: Looking ahead

It’s easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we’ll delve into the world of the “blue team” – the defenders who are charged with protecting your data and the services you depend on – with cyber expert Oz Jones. Along the way, we’ll learn valuable lessons for everyone. Interview Notes Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/  Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/  CIS Controls: https://www.cisecurity.org/controls  Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html  Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:00:29: Patron promo is LIVE! 0:01:16: Correction 0:01:49: Interview setup 0:04:44: Jargon definitions 0:06:39: How did you get into cyber incident response? 0:09:56: What does it mean to be on the Blue Team? 0:13:25: What are the most impactful cyber threats to companies today? 0:16:34: Are people or companies most as risk for ransomware attacks? 0:19:57: What impact has cyber insurance had on cyber security? 0:21:02: What are the most common types of attacks on companies? 0:23:59: How should companies educate their employees about cyber threats? 0:30:48: How does working from home or using personal devices impact cyber attacks? 0:35:22: How can you protect your company against supply chain attacks? 0:38:45: What resources are available to help companies prepare? 0:41:07: How can we detect attacks and malware infections? 0:44:22: After an attack, how do you respond? 0:48:05: What are my legal obligations for notifying my customers? 0:50:25: Are table top simulations useful? 0:52:07: Are there incident response consultants you can hire? 0:53:05: Can you recommend some helpful resources? 0:56:11: As consumers, how can we make better choices? 0:58:22: Interview wrap-up 1:01:51: Troy Hunt was pwned 1:03:04: Patron bonus preview 1:04:32: Looking ahead

When we collect a lot of personal data, say via the US Census, the goal is to glean important aggregate information and statistics, while somehow preserving the anonymity and privacy of the individual respondents. There’s a rigorous mathematical process for doing this – that’s actually not that hard to understand – called Differential Privacy. I’ll explain how it works. In the news: iOS has a new location privacy setting; Google confirms it’s rolling out AI to Gmail; Windows makes it much harder to avoid creating a Microsoft Account; WhatsApp is rolling out AI in Europe with no way to opt out; Switzerland is considering undermining encrypted communications; 23andMe is going bankrupt – it’s time to delete your data; France rejects a backdoor mandate; and finally, I have a lot to say about the US officials’ Signal chat debacle. Article Links [9to5mac.com] iOS 18.4 includes a new location services privacy setting for your iPhone https://9to5mac.com/2025/04/02/ios-iphone-new-location-services-privacy-toggle/ [forbes.com] Google Confirms Gmail Upgrade—3 Billion Users Must Now Decide https://www.forbes.com/sites/zakdoffman/2025/03/22/google-confirms-gmail-upgrade-3-billion-users-must-now-decide/ [windowscentral.com] Microsoft will force Windows 11 installs to use a Microsoft Account — confirms removal of popular setup bypass https://www.windowscentral.com/software-apps/windows-11/microsoft-will-force-windows-11-installs-to-use-a-microsoft-account-confirms-removal-of-popular-setup-bypass [Bleeping Computer] WhatsApp’s Meta AI is now rolling out in Europe, and it can’t be turned off https://www.bleepingcomputer.com/news/artificial-intelligence/whatsapps-meta-ai-is-now-rolling-out-in-europe-and-it-cant-be-turned-off/ [techradar.com] Secure encryption and online anonymity are now at risk in Switzerland – here’s what you need to know https://www.techradar.com/vpn/vpn-privacy-security/secure-encryption-and-online-anonymity-are-now-at-risk-in-switzerland-heres-what-you-need-to-know [arstechnica.com] FTC: 23andMe buyer must honor firm’s privacy promises for genetic data https://arstechnica.com/tech-policy/2025/04/ftc-watching-23andme-bankruptcy-sale-for-impact-on-users-genetic-data/ [schneier.com] The Signal Chat Leak and the NSA https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html [eff.org] A Win for Encryption: France Rejects Backdoor Mandate https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate How Differential Privacy Works: https://firewallsdontstopdragons.com/how-differential-privacy-works/  Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:00:28: Coin promo teaser 0:02:47: News preview 0:05:21: iOS 18.4 includes a new location services privacy setting 0:10:09: Google Confirms Gmail AI Upgrade 0:16:41: Microsoft will force Windows 11 installs to use a Microsoft Account 0:20:57: WhatsApp’s Meta AI is now rolling out in Europe 0:23:32: Secure encryption and online anonymity are now at risk in Switzerland 0:27:33: FTC: 23andMe buyer must honor firm’s privacy promises for genetic data 0:35:09: The Signal Chat Leak 0:53:05: A Win for Encryption: France Rejects Backdoor Mandate 0:56:14: Tip of the Week: Differential Privacy 1:06:20: Coin promo details 1:11:04: Merlin’s Musings topic 1:11:29: Looking ahead

We’ve been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what’s in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don’t fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they’re really doing. Interview Notes Internet Safety Labs: https://internetsafetylabs.org/ App Microscope: https://appmicroscope.org/  Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/  Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic  Exodus Privacy: https://exodus-privacy.eu.org/en/  Henrietta Lacks: https://en.wikipedia.org/wiki/Henrietta_Lacks  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  My social media: https://firewallsdontstopdragons.com/contact/  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:00:31: Note on 23andMe 0:01:35: Follow my social media 0:01:58: Signal debacle 0:02:39: Interview setup 0:07:06: What is Internet Safety Labs and what do you do there? 0:09:49: What are the privacy risks with EdTech? 0:16:31: How did the pandemic impact EdTech software? 0:19:02: How does the “notice and consent” model work with EdTech software? 0:25:26: Do app makers even know what’s in their own software? 0:28:11: How do ads inside our apps get there? 0:30:45: How does App Microscope work? 0:32:33: How does safety differ from security? 0:34:37: What can you learn from the data and metadata an app generates? 0:37:22: Do you study “dark patterns” in apps? 0:41:42: How do you determine the software makeup of a given app? 0:47:10: How accurate are the app privacy “nutrition” labels? 0:51:58: How important are the non-technical aspects of an app for safety? 0:56:33: How do I use the App Microscope tool? 1:00:38: How can we support your efforts? 1:04:41: Interview follow-up 1:08:51: Burp Suite info 1:09:32: Patron bonus preview 1:10:27: Looking ahead

Tax time is once again upon us here in the USA, which means that the tax scammers are coming out of the woodwork. Many will claim to be representing the IRS, claiming that there is an urgent need to fix a problem with your return, threatening penalties if you don’t pay them money. Others will simply try to file fake returns in your name, but send the massive false refund checks to themselves. I’ll help you spot and avoid these scams. In other news: Apple’s Passwords app was vulnerable to phishing attacks (now fixed); Amazon is forcing Echo owners to share voice recordings; the Bluetooth chip “backdoor” that wasn’t; Captchas were used by Google to translate books and Street View images; ICE uses third party tool to scrape tons of your data; beware of online file converters; Clearview AI attempted to buy millions of mugshots; RCS messaging will soon allow end-to-end encrypted chats between iPhones and Android phones. Article Links [9to5mac.com] Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch https://9to5mac.com/2025/03/18/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch/ [arstechnica.com] Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/ [darkmentor.com] The ESP32 “backdoor” that wasn’t https://darkmentor.com/blog/esp32_non-backdoor/ [techradar.com] Captcha if you can: how you’ve been training AI for years without realising it https://www.techradar.com/news/captcha-if-you-can-how-youve-been-training-ai-for-years-without-realising-it [404media.co] The 200+ Sites an ICE Surveillance Contractor is Monitoring https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/ [malwarebytes.com] Warning over free online file converters that actually install malware https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware [404media.co] Facial Recognition Company Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database https://www.404media.co/facial-recognition-company-clearview-attempted-to-buy-social-security-numbers-and-mugshots-for-its-database/ [appleinsider.com] RCS messaging will get end-to-end encryption on iPhone https://appleinsider.com/articles/25/03/14/rcs-messaging-will-get-end-to-end-encryption-on-iphone Tip of the Week: https://firewallsdontstopdragons.com/its-tax-scam-time/  Further Info Data Diva interview: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker  Malwarebytes interview: https://www.malwarebytes.com/blog/podcast/2025/03/what-google-chrome-knows-about-you-with-carey-parker-lock-and-code-s06e06  Amazon Mechanical Turk: https://en.wikipedia.org/wiki/Amazon_Mechanical_Turk  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:00: Intro 0:00:21: Guest appearances 0:01:22: News preview 0:03:50: Apple’s Passwords app was vulnerable to phishing attacks for nearly three months 0:10:41: Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out 0:21:30: The ESP32 “backdoor” that wasn’t 0:29:16: Captcha if you can: how you’ve been training AI for years without realising it 0:35:08: The 200+ Sites an ICE Surveillance Contractor is Monitoring 0:43:10: Warning over free online file converters that actually install malware 0:46:00: Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database 0:49:31: RCS messaging will get end-to-end encryption on iPhone 0:53:02: Tip of the Week 0:57:26: Wrap-up

Josh Summers lived in China for many years and learned a lot about privacy and security. Since he left, he’s made it his mission to share this knowledge through his website and YouTube channel called All Things Secured – helping regular, everyday people like you and me to protect our data and devices. Today we’ll talk specifically about improving your security and privacy on iPhones and Android phones, and even some alternatives outside the Apple and Google ecosystems. Interview Notes All Things Secured: https://www.allthingssecured.com/  All Things Secured YouTube: https://www.youtube.com/@AllThingsSecured  Apple iPhone Lockdown Mode: https://support.apple.com/en-us/105120  Apple Stolen Device Protection: https://support.apple.com/en-us/120340  Apple Advanced Data Protection: https://support.apple.com/en-us/108756  Android Theft Protection: https://blog.google/products/android/android-theft-protection/  Google Advanced Protection Program: https://landing.google.com/advancedprotection/faq/  iPhone hide/lock apps: https://support.apple.com/guide/iphone/lock-or-hide-or-an-app-iph00f208d05/ios  Cryptomator: https://cryptomator.org/  OsmAnd maps: https://osmand.net/  Jitsi video conferencing: https://jitsi.org/  Hoody AI: https://hoody.com/ai  DuckDuckGo AI: https://duck.ai/  GrapheneOS: https://grapheneos.org/  Further Info Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents 0:00:14: intro 0:00:27: Couple quick news items 0:01:59: Interview setup 0:02:47: How did you come to start All Things Secured? 0:04:41: What’s is like living in China, from a privacy perspective? 0:07:26: What are the basic security and privacy risks with a smartphone? 0:11:21: How do iPhones compare to Android phones? 0:13:35: How does Android’s multi-level ecosystem impact security? 0:16:42: How secure are smartphones against remote attacks? 0:19:39: Can you protect your smartphone against direct physical access? 0:25:20: What are some of the latest and greatest smartphone security features? 0:35:51: What if we don’t trust Apple or Google’s security? 0:40:05: If we don’t trust Apple or Google apps, which ones should we consider using? 0:45:35: How can we protect our privacy with AI? 0:53:08: Are there better smartphone options beyond iOS and Android? 0:56:27: What worries you most? What gives you hope? 0:58:54: How can we learn more from you? 1:00:01: Interview wrap-up 1:00:55: Patron bonus content 1:01:55: Guest appearances 1:02:47: Looking ahead

Google’s Chrome browser is rolling out changes that will hamstring ad blockers – so there’s never been a better time to try a better browser. There are a handful of good options, but I’m going to recommend that you try Firefox with a fantastic ad blocker called uBlock Origin. If you’ve never tried this powerful combination, you won’t believe what you’ve been missing. In other news: the UK scrubs all encryption advice from government sites; Signal’s CEO threatens to leave Sweden over backdoor demands; UK private health services hit by Medusa ransomware; Australian IVF provider has patient data stolen; Brazil gives Apple 90 days to allow side loading of apps; millions of Android TVs hijacked by a botnet; Qualcomm and Google team up to offer 8 years of Android updates; Google rolls out AI voice call scam detector; and confusion over Trump admin orders regarding Russia cyber threats. Article Links [techcrunch.com] UK quietly scrubs encryption advice from government websites https://techcrunch.com/2025/03/06/uk-quietly-scrubs-encryption-advice-from-government-websites/ [swedenherald.com] Signal’s CEO: Then We’re Leaving Sweden https://swedenherald.com/article/signals-ceo-then-were-leaving-sweden [theregister.com] Medusa ransomware gang demands $2M from UK private health services provider https://www.theregister.com/2025/02/20/medusa_hcrg_ransomware/ [techcrunch.com] Hackers publish sensitive patient data allegedly stolen from Australian IVF provider Genea https://techcrunch.com/2025/02/26/hackers-publish-sensitive-patient-data-allegedly-stolen-from-australian-ivf-provider-genea/ [9to5mac.com] Brazilian court gives Apple 90 days to allow sideloading on iOS https://9to5mac.com/2025/03/06/brazilian-court-apple-sideloading-ios/ [tomsguide.com] Millions of Android TVs hijacked in massive botnet https://www.tomsguide.com/computing/online-security/millions-of-android-tvs-hijacked-in-massive-botnet-how-to-see-if-yours-is-at-risk [arstechnica.com] Qualcomm and Google team up to offer 8 years of Android updates https://arstechnica.com/gadgets/2025/02/qualcomm-and-google-team-up-to-offer-8-years-of-android-updates/ [The Hacker News] Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud https://thehackernews.com/2025/03/google-rolls-out-ai-scam-detection-for.html [zetter-zeroday.com] Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-cisa-to-stand-down-on-russia/ [theregister.com] uBlock Origin dead for many as Google purges Manifest v2 extensions https://www.theregister.com/2025/02/24/google_v2_eol_v3_rollout/ Tip of the Week: Slay Browser Ads: https://firewallsdontstopdragons.com/dragon-hacks-slay-browser-ads/  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Check out my dragon challenge coin: https://fdsd.me/coin2  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:00:26: Update your Android devices 0:00:47: News rundown 0:02:50: UK quietly scrubs encryption advice from government websites 0:08:45: Signal’s CEO: Then We’re Leaving Sweden 0:11:01: Medusa ransomware gang hits UK health services provider 0:15:32: Hackers publish patient data allegedly from Australian IVF provider 0:19:13: Brazilian court gives Apple 90 days to allow sideloading on iOS 0:22:32: Millions of Android TVs hijacked in massive botnet 0:32:17: Qualcomm and Google offer 8 years of Android updates 0:39:18: Google Rolls Out AI Scam Detection for Android 0:45:09: Did Trump Admin Order U.S. to Stand Down on Russia? 0:54:39: uBlock Origin dead for many as Google purges Manifest v2 extensions 0:59:53: Tip of the Week: Slay Browser Ads 1:04:06: Looking ahead 1:04:54: Patron info

Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We’ll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them. Interview Notes Veracode: https://www.veracode.com/  L0pht.com: https://l0pht.com/  L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY  DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM  MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up  The Open Organisation Of Lockpickers (TOOOL): https://toool.us/  2600: https://www.2600.com/  Classic engineering references: https://bitsavers.org/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: intro 0:00:40: Interview setup 0:03:19: How did you come to be in The L0pht? 0:08:36: How did meeting in real life as well as online affect L0pht’s dynamics? 0:09:34: How did you find so much free and adandoned computer hardware? 0:13:44: How did you manage to just drive your van in the NSA parking lot? 0:19:20: What has been the lasting impact of your Congressional testimony in 1998? 0:21:45: How did you come to invite cyber czar Richard Clarke to The L0pht? 0:27:17: How have hackers pushed back against overreach from corporations? 0:36:05: Why are lockpicking and computer hacking so closely related? 0:40:55: Is it easier or harder to be a hacker today versus when you started? 0:45:56: Are we still fighing the Crypto Wars of the 90s? Are we winning? 0:51:17: Are there any glaring misconceptions about The L0pht you’d like to fix? 0:55:16: Where are The L0pht folks now and what are they up to? 0:57:51: Interview wrap-up 1:00:59: Patron bonus preview 1:01:35: Looking ahead

Not all Privacy Enhancing Technologies are new – but this one is probably new to you. Onion routing was developing in the 1990’s by the US government and is the basis for the Tor Network. Onion routing does one thing very well: it masks your actual IP address. While you can use a VPN for this purpose, onion routing adds a different layer of anonymity – and it’s just a cool technology. Today I’ll explain how it works, how to use it, and the pros and cons of doing so. In other news: Bitly is leveraging its URL-shortening empire to monetize your links; a major car company is experimenting with in-car pop up ads; a cautionary tale about law enforcement’s access to private phone data; Russian spies are using a clever new phishing technique to gain access to Microsoft 365 accounts; Apple pulls its Advanced Data Protection feature from the UK market in response to demands to ‘backdoor’ its encryption; and whatever your political beliefs, the chaos and careless changes made by the DOGE group are seriously undermining national security. Article Links [tedium.co] Broken Bits https://tedium.co/2025/02/07/bitly-terms-of-service-change/ [techstory.in] Stellantis Introduces Pop-Up Ads in Vehicles, Sparking Outrage Among Owners https://techstory.in/stellantis-introduces-pop-up-ads-in-vehicles-sparking-outrage-among-owners/ [arstechnica.com] No warrant or crimes—but Oregon woman’s nudes were shared after illegal phone search https://arstechnica.com/tech-policy/2025/02/no-warrant-or-crimes-but-oregon-womans-nudes-were-shared-after-illegal-phone-search/ [arstechnica.com] Russian spies use device code phishing to hijack Microsoft accounts https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/ [bbc.com] Apple pulls data protection tool after UK government security row https://www.bbc.com/news/articles/cgj54eq4vejo [schneier.com] DOGE as a National Cyberattack https://www.schneier.com/blog/archives/2025/02/doge-as-a-national.html Tip of the Week: How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/  Further Info Safe link shortener: https://kutt.it/ Read before using the Tor Browser: https://www.privacyguides.org/en/tor/  Tor Browser: https://www.torproject.org/download/  Onion sites that don’t suck: https://github.com/neilzone/onion-sites-that-dont-suck  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: News preview 0:02:19: Broken Bits 0:13:50: Stellantis Introduces Pop-Up Ads in Vehicles 0:20:28: Oregon woman’s nudes were shared after illegal phone search 0:28:03: Russian spies use device code phishing to hijack Microsoft accounts 0:35:07: Apple pulls data protection tool after UK government security row 0:45:58: DOGE as a National Cyberattack 0:59:54: Tip of the Week: Onion Routing 1:11:53: Wrap-up

Generic security advice is good, but tailored advice is much better. Everyone’s situation is a little different. What are you trying to protect? Who or what are you trying to protect it from? What are the consequences of failure? This is called threat modeling. And thankfully, the wonderful folks at Consumer Reports have a free, easy-to-use Security Planner tool that will help anyone do this assessment and provide custom solutions. My guest today is Yael Grauer, who will help us understand how to think about our security and how the CR tool can help you protect your data and devices. Interview Notes Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/  Yael’s website: https://yaelwrites.com/  Big Ass Data Broker Opt Out List (BADBOOL): https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List  Consumer Reports advocacy: https://advocacy.consumerreports.org/  CR’s Digital Standard: https://thedigitalstandard.org/  CR’s Consumer Readiness Report 2024 (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/09/2024-Consumer-Cyber-Readiness-Report.pdf  How to choose a PIN code: https://firewallsdontstopdragons.com/how-to-choose-a-pin/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:07: Interview setup 0:02:35: Yael introduction 0:04:19: What questions should we answer to get useful security advice? 0:06:41: How does Security Planner work? 0:08:03: How does Security Planner tailor its suggestions? 0:10:58: How do you decide what the most important factors are for security? 0:15:11: What might trigger me to re-run this tool and get a fresh report? 0:17:18: How does Consumer Reports research its recommendations? 0:19:59: How does CR vet the products and services that it recommends? 0:23:18: How do you weight things like convenience and ease of use? 0:27:34: Is it okay to make people pay for basic security features? 0:35:08: What role should government play in pushing for better security? 0:36:55: How important is transparency for driving better security? 0:39:15: What did the CR Cyber Readiness survey reveal? 0:43:22: Why do we choose bad passwords? 0:45:55: Why don’t companies provider better support for security problems? 0:51:39: What’s next for you and CR? How do we get updates? 0:53:43: Interview wrap-up 0:56:20: Patron bonus content preview 0:57:06: Looking ahead